Compliance Audit vs. Financial Audit: Distinctions
Compliance audits and financial audits serve distinct purposes within regulated industries, yet the two are frequently conflated in practice — a confusion that carries real consequences for organizations subject to oversight by agencies such as the SEC, FDIC, or CFPB. This page examines the structural differences between the two audit types, the regulatory frameworks that govern each, the scenarios in which each applies, and the criteria that determine which engagement — or combination of engagements — a financial institution requires.
Definition and scope
A financial audit is an independent examination of an organization's financial statements to determine whether those statements present fairly, in all material respects, the entity's financial position and results of operations in accordance with an applicable financial reporting framework — most commonly U.S. Generally Accepted Accounting Principles (GAAP) or International Financial Reporting Standards (IFRS). The opinion produced is directed at financial statement users: investors, creditors, and regulators relying on reported numbers. Standards governing financial audits in the United States are issued by the Public Company Accounting Oversight Board (PCAOB) for public-company engagements and by the American Institute of Certified Public Accountants (AICPA) through Generally Accepted Auditing Standards (GAAS) for private-entity and non-public engagements.
A compliance audit, by contrast, examines whether an organization adheres to defined external laws, regulations, contractual requirements, or internal policies. The subject matter is behavioral and procedural — not numeric accuracy in financial statements. A compliance audit might assess adherence to the Bank Secrecy Act (BSA), the Dodd-Frank Act's consumer protection provisions, FINRA's suitability rules, or the CFPB's fair lending standards. The output is typically a findings report documenting gaps, violations, or areas of elevated risk, rather than an opinion on financial statement fairness.
Scope boundaries illustrate the divergence clearly:
- A financial audit asks: Are the numbers right and fairly presented?
- A compliance audit asks: Did the organization follow the required rules?
The two scopes can overlap — for example, a Sarbanes-Oxley Section 404 engagement requires an integrated audit in which the auditor simultaneously opines on financial statements and on the effectiveness of internal controls over financial reporting — but the conceptual distinction between accuracy attestation and behavioral adherence remains structurally intact.
How it works
Financial audit process — The engagement follows a phased structure codified by PCAOB Auditing Standard No. 2101 (Audit Planning) and related standards:
- Risk assessment — Auditors identify accounts and disclosures with significant misstatement risk, including fraud risk, per PCAOB AS 2110.
- Internal control evaluation — For public companies under SEC reporting requirements, auditors evaluate controls over financial reporting as required by Sarbanes-Oxley Section 404(b).
- Substantive testing — Auditors apply analytical procedures and tests of details to verify account balances and transaction classes.
- Completion and opinion — The auditor issues one of four opinion types (unqualified, qualified, adverse, or disclaimer), as detailed further in audit report types for financial services.
Compliance audit process — Structure varies by regulatory regime, but a typical compliance audit in financial services proceeds through:
- Scope definition — Identifying the specific statutes, regulations, or internal policies under review (e.g., BSA/AML obligations, CFPB Regulation Z, or FINRA Rules 3110–3120).
- Control and process mapping — Documenting the organization's procedures designed to achieve compliance.
- Transaction and records testing — Sampling transactions, communications, or records to test whether controls operated as designed. Sampling methodology is a function of risk, as discussed in audit sampling methods for financial firms.
- Gap reporting — Producing a findings report that classifies deficiencies by severity and recommends remediation.
- Management response — Management formally responds to findings, establishing timelines for corrective action.
A compliance audit does not require a licensed CPA to conduct it; qualified compliance officers, internal audit functions, or specialized compliance consulting firms may perform the work. A financial audit of a public company must be performed by a PCAOB-registered firm (PCAOB registration database).
Common scenarios
When a financial audit is required:
- Publicly traded companies must file audited annual financial statements with the SEC under the Securities Exchange Act of 1934, 15 U.S.C. § 78m (SEC EDGAR regulations).
- FDIC-supervised institutions with $500 million or more in total assets must obtain annual independent audits and form audit committees under 12 C.F.R. Part 363 (FDIC audit requirements).
- Registered investment advisers with custody of client assets must obtain a surprise examination or an annual audit of client funds under SEC Rule 206(4)-2 (SEC custody rule).
When a compliance audit is required:
- Broker-dealers registered with FINRA must conduct annual compliance reviews under FINRA Rules 3110 and 3120 (FINRA audit obligations).
- Depository institutions are subject to BSA compliance program requirements mandating independent testing of their AML programs under 31 C.F.R. § 1020.210 (FinCEN regulations).
- Mortgage servicers subject to CFPB supervision face compliance audits aligned with RESPA and TILA requirements (CFPB compliance audit overview).
Dual-engagement scenarios: Large financial institutions routinely run both engagement types in the same annual cycle. A bank holding company may simultaneously support an external financial statement audit under PCAOB standards and an internal compliance audit of its fair lending program under ECOA and the Fair Housing Act. These are managed as separate workstreams with distinct scopes, even when some evidence — such as loan-level transaction data — is shared between teams.
Decision boundaries
The determination of which audit type applies — or whether both apply — rests on four criteria:
| Criterion | Financial Audit | Compliance Audit |
|---|---|---|
| Primary question | Are financial statements fairly stated? | Are regulations and policies followed? |
| Output | Auditor opinion on statements | Findings and gap report |
| Required practitioners | CPA / PCAOB-registered firm (public cos.) | Varies; CPA not required |
| Governing standard | PCAOB AS / GAAS / GAGAS | Specific regulation, agency guidance, or internal policy |
Organizations subject to internal vs. external audit considerations face an additional layer: internal audit functions may conduct compliance audits as a matter of routine governance, while external auditors conduct financial audits as a statutory or regulatory obligation. The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) governs internal audit practice, while external financial audit practice is governed by PCAOB or AICPA standards depending on entity type.
A useful rule: if the engagement will produce an opinion that travels to third parties — investors, regulators, or creditors — it is almost certainly a financial audit or an integrated audit. If the engagement will produce findings used primarily by management and the board to assess and remediate behavioral adherence gaps, it is a compliance audit. The audit committee's role in financial services firms typically encompasses oversight of both tracks, but the committee's formal approval and sign-off obligations differ by engagement type and applicable regulation.
Entities uncertain about scope boundaries should consult the applicable regulatory text directly. For SEC-reporting companies, the relevant requirements appear in 17 C.F.R. Part 210 and PCAOB standards. For federally insured depository institutions, Part 363 of Title 12 of the Code of Federal Regulations establishes the financial audit threshold, while BSA program rules establish the independent testing requirement for compliance purposes — two distinct statutory obligations that exist in parallel.
References
- PCAOB — Auditing Standards and Guidance
- AICPA — Generally Accepted Auditing Standards
- FDIC — 12 C.F.R. Part 363, Annual Independent Audits and Reporting Requirements
- SEC — Securities Exchange Act of 1934 Reporting Requirements
- FinCEN — 31 C.F.R. Part 1020, BSA Program Requirements for Banks
- FINRA — Rules 3110 and 3120, Supervision and Compliance Programs
- [CFPB — Supervision and Examination Manual](https://